RunReveal
SourcesSource Types

Hugging Face Audit Logs

The Hugging Face Hub audit log records user and system actions across your organization, including repository management, membership and access control changes, SSO and OAuth events, billing changes, and Spaces and Jobs activity. These logs help security and compliance teams maintain audit trails, monitor administrative activity, and build detections on access to your Hugging Face resources.

Ingest Methods

Setup the ingestion of this source using one of the following guides.

API Polling

Hugging Face supports API polling to collect audit log events from your organization via the audit-log export endpoint (GET /api/organizations/{name}/audit-log/export).

Setup

  1. Go to Sources in RunReveal
  2. Click the Hugging Face source tile
  3. Give it a name
  4. Fill in your Organization name and an Access Token
  5. Click Connect Source

Access Token Configuration

Prerequisites:

  • You must be an organization admin on a Team or Enterprise plan. The audit-log export endpoint is only available to these plans.

Creating the Access Token:

  1. Sign in to huggingface.co as an organization admin
  2. Navigate to Settings → Access Tokens
  3. Click Create new token with read access to your organization
  4. Copy the token — it will only be displayed once

Team or Enterprise Required: The audit-log export endpoint requires an organization admin on a Team or Enterprise plan. If requests return an authorization error, confirm the token belongs to an admin and that your organization is on a supported plan.

Collected Events

Hugging Face audit events follow a scope.action naming convention. RunReveal stores the event type in the eventName field. Scopes include:

  • org — membership, roles, invitations, SSO login/join, settings, token approval, and security configuration changes (e.g. org.add_user, org.remove_user, org.sso_login, org.update_settings)
  • repo — repository lifecycle, secrets and variables, settings, and trusted publishers (e.g. repo.create, repo.delete, repo.move, repo.update_settings)
  • collection — collection create and delete events
  • spaces — storage, volumes, hardware, and sleep-time changes
  • resource_group — resource group lifecycle and membership changes
  • jobs / scheduled_job — job creation, cancellation, and schedule changes
  • billing — subscription, payment method, and marketplace changes
  • oauth — OAuth token activity

Event Data Structure

Each audit event includes:

  • Event ID and Type — Unique identifier (_id) and event type (type)
  • Timestamp — When the action occurred (createdAt, RFC 3339)
  • Actor Information — Author username, ID, and type
  • Network Context — Source IP address and resolved location (country, city)
  • Token Context — When applicable, the token type, role, and last 4 characters used for the action

Data Collection

  • Collection Method: API polling every 5 minutes
  • Backfill: On first connection RunReveal ingests all available audit history (the export returns up to the last 100,000 events)
  • Event Format: JSON with normalized fields for consistent querying

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: huggingface_logs (51 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeString
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
dstCityString
dstConnectionTypeString
dstISPString
ColumnType
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
auditIDString
eventTypeString
messageString
authorIDString
authorUserString
authorTypeString
actorIPString
locationFormattedString
locationCountryString
locationCityString
tokenTypeString
tokenIDString
tokenRoleString
tokenLast4String
tokenDeletedBool

On this page